Nobody ever told me…

One of the most overlooked ways to hack into your home or small office network is the modem/router that likely provides your Internet connection.

Hundreds of thousands (if not millions) of Internet routers have been hacked.

In one test, security researchers analyzed 20 of the highest-selling routers and found that half of the devices had multiple security vulnerabilities, which didn’t even include configuration errors.

According to Bitdefender’s real-time monitoring, routers are one of attackers’ most targeted Internet-of-Things devices.

Most people receive a combination modem/router from their Internet Service Provider (ISP), but some people purchase their own. Even though you can have a separate modem and router, the majority of those provided by ISPs are combined into one piece of equipment. For the sake of simplicity, we’ll refer to this device as a router.

Wherever the device came from, most people never change critical settings that can make it very easy to hack.

Here’s where you start

The first, and probably the most important thing to change, is the primary login credentials to manage the device. Almost every router comes with a default User ID and password. In the setup guidelines (which many people never read), one of the first instructions given is to change these settings.

Most people never do, and this gives an attacker easy access to your router.

The default User ID for many routers is “admin,” with a password of “password.” Some routers come from an ISP with a label on the back that shows the password. The one we received from our ISP has a sticker on both the front and back of the router, to make access easier for the owner.

Leaving the default administrator credentials in place is not much different than having a front door without a lock. Attackers know the default login credentials for most routers, and use them to hack into these devices every day.

There is even a website that provides the default credentials for many routers (designed for people who reset their routers and can’t find the setup documentation that came with the device). To check the default information for your router, go to https://www.routerpasswords.com/.

When changing the administrator User ID, create something that contains a different User ID than you use for any other login. The administrator password also needs to be unique and not easily guessed. Password managers, such as LastPass, can help you to generate a unique and secure password, and then help you remember it by storing the administrator login credentials in the encrypted LastPass database.

According to a report from Tripwire, a cybersecurity firm, 46% of consumers and 30% of technology professionals never change their default router passwords.

You may be asking what someone could do with administrator access to your router. Here are just some of the possibilities:

• The attacker can redirect your Internet connection to a web page that phishes for your account credentials.
• A hacked router can take you to a web page that tells you to download software updates that may infect you with malware.
• An invader can conduct what is called a “man-in-the-middle attack,” so they can see everything you do on what you believe is a secure and encrypted connection.
• The hacked router can be hijacked to serve as a “bot” on a malicious botnet that can be used to launch Distributed Denial of Service (DDoS) attacks against websites, companies, or even government agencies.
• The router can be used to attack other devices connected to your network, potentially providing access to any data stored on or transmitted by those devices.
• If any Internet-of-Things (IoT) devices are connected wirelessly to the router, they could be taken over remotely to spy on anything within range. Think smart TVs, home assistants (Amazon Echo, Google Home, etc.), or other devices such as the intelligent Nest thermostat or the Ring doorbell.

The other important setting to change is the Service Set Identifier, or SSID, of your router that provides your wireless signal (some routers have more than one). The SSID is the name of your network that is broadcast to anyone that may want to connect.

Unfortunately, many routers come with a default SSID that shows the manufacturer and the model number of the router. Using routerpasswords.com and other resources, it’s very easy to look up the default administrator login credentials to see if they still provide access.

If the router provides the capability of multiple Wi-Fi networks (many routers can have several), make sure to change the access passwords to connect to each of these networks.

Lots of routers today have at least two frequencies: a 2.4 gigahertz band and a 5 gigahertz band. If you have a router with these frequencies, they can each have a different name and connection password.

There are some fundamental differences between the two frequencies. The 2.4 GHz band is probably used by other appliances or devices in your home or office. For example, most older cordless phones, garage door openers, and baby monitors use this frequency. One of the reasons it is more widely used is that the signal travels farther and transmits better through walls to provide enhanced coverage.

If someone outside is scanning for nearby Wi-Fi signals, they are most likely to see your 2.4 GHz signal as available for a connection.

The 5 GHz band is not currently used much by other devices (although this may change with the addition of more Internet-of-Things devices) and does not transmit as far as the 2.4 GHz band.

Some security professionals suggest that using the 5 GHz band may be more secure, just because someone in your neighborhood may not be able to detect it and try to connect.

Name each of your wireless network segments with different SSIDs that are something not identifiable with you or your location. Naming an SSID as “Walt’s Network” or leaving a default SSID as the model of your router is not a good idea. Give each a unique name, so they can’t be easily associated with the same router.

Many of the better routers will allow you to create different wireless segments and give you the capability to limit the use of individual segments by user or device, with a different password for each one.

Examples of why this is useful would include creating a “guest” segment for visitors who do not need permanent access to your network. Another use might be only to allow the Internet-of-Things (IoT) devices to connect to a separate network segment.

I would recommend creating a secure encrypted note in your password manager that contains all of the information about your router (manufacturer, model number, serial number, default User IDs and passwords, along with the new ones you generate to improve the security of the router). This might come in handy in the future.

You will also want your router to use the most up-to-date encryption, which is currently WPA2.

Finally, check for firmware updates. Firmware is the embedded software that controls everything on your router. Users can’t delete the firmware, but it can and should be updated. Similar to software updates on other devices, firmware updates fix security and software problems that have been identified for the router. Firmware updates should be available from the router manufacturer’s website.

If you are not able to update the router’s firmware, it’s probably time to replace it with a more updated (and secure) model.

Are There Other Options?

If you’re interested in exploring more secure routers or other devices that will protect your home or small office network, consider the following, but do your research before deciding what might best serve your needs:

The F-Secure Sense Security Router – https://www.f-secure.com/en_US/web/home_us/sense

The Bitdefender Box 2 Smart Home Cybersecurity Hub – https://www.bitdefender.com/box/

Dojo, by Bullguard – https://dojo.bullguard.com/dojo-by-bullguard/

The Pepwave Surf SOHO router – https://www.peplink.com/products/pepwave-surf-soho/

The Norton Core Router – https://us.norton.com/core

There are other settings and best practices related to router security that can improve your safety even more but are beyond the scope of this post.

For additional information, go to:

https://routersecurity.org

Conclusions

While improving the security of your router(s) won’t protect you from every threat, if you follow these recommendations, you will have done more than most to reduce some of your techno-crime risks.

If you’re interested in more tips to increase the security of your smart home, we’ve published a free Smart Home and Mobile Device Security Checklist that is available in the Free Member Content Library on our website at https://technocrime.com/library. You’ll need to create an account with a User ID and password, but then you’ll have free access to everything in our library as we create more information. And don’t worry, registering for access does not add you to our mailing list and we will never share your information.

Let me know your thoughts about this topic, and if you have other recommendations to share, please leave a comment.

This new technology is solving decades-old cold cases

DNA has been used to identify suspects in hundreds of thousands of criminal cases since the 1990s. The national criminal database, CODIS, currently contains the genetic data of over 13 million people, along with fingerprints and other biometric data collected by law enforcement.

Although the FBI is the only federal agency authorized to maintain a national DNA database, many states, and even local law enforcement agencies, have also begun to collect DNA and maintain their own databases.

But did you know that even if you’ve never had a DNA sample collected by a law enforcement or government agency, today your DNA might be involved in a criminal investigation?

The use of familial DNA searches, the process of examining and comparing the DNA of people who might be related to a suspect, is being used by law enforcement to solve a significant number of criminal cases.

Some of these are cold cases that have been open for decades.

The National District Attorney’s Association describes familial DNA search process:

“Familial searching is a technique whereby a crime scene profile is deliberately run through the offender databank in the hopes of getting a list of profiles that are genetically similar to the DNA evidence and using this information as an investigative lead to interview family members of the near matches.”

DNAForensics.com provides more details about the process:

“When a DNA profile is obtained from a crime scene and that profile is passed through the FBI’s electronic program, the Combined DNA Index System (CODIS), a perfect hit will be obtained if all 26 alleles match a DNA profile in the database, indicating that the DNA sample is from the same person. But if a partial match occurs on at least 15 or more alleles then this could indicate that a close relative left the sample at the crime scene. A relative whose past conviction or arrest required him to provide his DNA can now send another family member to prison.”

(An “allele” as referenced by DNAForensics.com is a variation in a gene that is found in a specific spot on a chromosome, which, as I understand it, is a molecule containing all or part of a person’s DNA.)

Also see:
https://www.nij.gov/topics/forensics/evidence/dna/basics/Pages/analyzing.aspx

By expanding this process to include DNA data from other public sources and private companies, investigators now have the ability to go beyond the data contained in criminal databases in order to help identify suspects.

Perhaps the most notable example solved with this new technique is the California case of the Golden State Killer. A double murder occurred in 1980, and the suspect left DNA evidence at the crime scene. But investigators couldn’t match the DNA to any record in a criminal database, and without additional information, there weren’t any other leads.

Millions of people have submitted DNA samples to companies in the genetics industry to discover their ancestry or to see whether they have genetic markers that might indicate a higher potential for some diseases.

In addition to the information given to the customers, the genetic databases are valuable to medical researchers. The data can potentially be used to find the genetic causes of various diseases and medical disorders, which could lead to cures.

The resulting databases of genetic information contain millions of records from people who are not contained in criminal databases. This data is now being used by law enforcement, even though the people who submitted samples may not have been aware that law enforcement would have access to these records.

In April of 2018, investigators uploaded the DNA evidence related to the Golden State Killer to an open-source, public genealogy website named GEDmatch. With an account, anyone can see genetic data without a court order, usually when looking for unknown or distant relatives.

After setting up a fake profile account on the service, investigators used the same type of familial search and were able to match the unknown suspect’s DNA with possible relatives. By following the known family tree, investigators used more traditional investigative techniques, such as eliminating people by age, death, known locations, and gender to narrow down the list of potential suspects.

The data provided by this new field of familial genetics forensics identified the suspect, Joseph James D’Angelo. An ex-police officer, D’Angelo is a possible suspect in 13 murders, 50 rapes, and over 100 burglaries committed between 1974 and 1986. Even though D’Angelo was later cleared of the double murder charge (also after further DNA analysis), he still faces charges in the other crimes.

In the past year, over 50 other cold cases have been solved using this method.

Just recently, a Washington state court ruled that the use of familial genetics evidence that identified a suspect from another cold murder case could be admissible in his trial. After the initial DNA analysis from the crime scene was uploaded to GEDmatch, the database produced a match with a pair of second cousins to the DNA sample. A genetics forensics expert then reviewed the family tree and looked through newspaper articles, obituaries, census records, and even social media posts to follow the family tree leads. Her analysis targeted a male suspect, William Earl Talbott II.

Based on the DNA analysis, investigators placed the suspect under surveillance and collected a cup that the suspect had thrown away. His DNA was taken from the container and used for a direct comparison with DNA from the 1987 murder. The DNA matched.

However, with no other corroborating evidence, it will be up to the prosecutors in the case to determine whether the DNA analysis alone is enough to obtain a conviction.

The success of familial genetics forensics will only increase with the data volume as the number of customers grows. Private genetics companies have databases that contain millions of genetic profiles. GEDmatch (which is public) includes over 1.2 million records. Family Tree DNA has approximately another million profiles. But the more prominent players in the industry have much larger databases (23andMe – 10 million and Ancestry.com – 15 million records). The terms of service for each organization are different related to law enforcement access, which complicates the situation even more.

Should You Think Differently About DNA?

You could make an argument that DNA is different from other types of biometric data. DNA is what makes you uniquely you, but unlike other biometrics such as fingerprints, iris scans, or face prints, parts of your DNA are shared with people related to you.

Consider the possibility of an innocent person whose DNA resembles the DNA found at a crime scene being questioned about other family members.

• How many people would be comfortable in this scenario?
• Would everyone agree to his or her DNA records and other related information being reviewed by law enforcement during a familial genetics investigation?
• Do individuals have a right to be concerned about the privacy of their biometric data?
• What about the security of digitized biometric data, and what would the possible consequences be if that data were stolen?

What Do You Mean There Are No Laws Regarding DNA?

There are currently no federal or state laws addressing the ownership of an individual’s DNA. Customers need to review the laboratory’s or company’s terms of service and privacy policies for this answer and many other issues.

The prevailing practice is that once a sample is submitted for analysis, the individual owns the sample until it is processed. Once processing is complete, the lab or company where it was sent owns the data.

Once ownership has transferred, the person who submitted the sample has no control over what the data is used for, how it is shared, or to whom it is sold.

There are no regulations about how your DNA might be used, and for what purpose.

Possible consequences might include:

• Being turned down for insurance coverage due to something in your DNA.
• In the United States, the Genetic Information Nondiscrimination Act (2008) prohibits unfair treatment related to medical insurance but does not address how life, disability, or long-term insurance providers may act.
• How might DNA markers indicating intelligence be used?
• Could your DNA become part of a pre-hiring due-diligence review?
• Some researchers want to link DNA profiles to income and other data to look for correlations. Even though this might produce interesting results, could this type of data also result in discrimination?
• Could the ethnicity and/or race markers from full DNA profiles be used in a discriminatory fashion?
• What would the impact be in situations where the suspect was adopted?

Should law enforcement have unrestricted access to your DNA?

Some legal experts think that access to DNA profiles by law enforcement is a violation of the Fourth Amendment, and should require either a search warrant or a court order to access.

In other cases, courts have ruled that if people voluntarily provide information (or a biometric sample) to a third party, they have waived their right to privacy.

Some of the commercial genetics companies restrict access by law enforcement in their terms of service to cases involving only murder or violent crimes, but there is no consistency from service to service.

The DNA usually collected from people arrested by law enforcement doesn’t typically include a full profile like the ones produced by the genetics firms, and doesn’t include things like physical characteristics or medical/genetic disorders.

There is a growing debate about providing these more detailed profiles to law enforcement. Andrea Roth, Director of the University of California Berkeley Center for Law and Technology, said: “All the Supreme Court decisions about why existing offender databases don’t violate Fourth Amendment rights are all premised on the presumption that nothing personal can be gleaned from this junk DNA. Now that’s all up in the air. I think the bottom line is now everybody is about to be under genetic surveillance one way or another, unless we regulate the government’s ability to conduct genealogy searches.”

The counter-argument to this view is that familial genetics forensics has identified extremely violent criminal suspects who avoided detection for years (if not decades).

But what about the privacy of a criminal suspect’s relatives, and the fact that they could be considered as potential suspects in a crime they had no part in? In using DNA and genealogy to build family trees, even people who have never submitted a DNA sample might now be included in the suspect pool.

As you can imagine, there are lots of arguments about this process, and no legal precedents to give definitive answers.

Conclusions

The legal and privacy issues surrounding this new practice of familial genetics forensics raise many questions. Inadequate law, lack of regulations, inconsistent terms of service, the ability of customers to “opt out,” and practices involving the use of DNA by law enforcement are all factors that need additional discussion.

I’m sure a high percentage of people who’ve sent their DNA to one of the genetics companies were never explicitly told that their profile might be involved in a criminal investigation. Perhaps more transparency from the firms to make this clear would help, but they don’t have much incentive, and there are no regulations that require this type of notice.

People might also have second thoughts about submitting a DNA sample to one of these companies if they realized all the ways that their DNA data might be used or sold.

It’s becoming even more complicated when you consider how often private companies and government agencies are collecting biometric data at all levels.

Do we need laws or regulations about privacy for this type of data?

Or should there be no restrictions, since the owners of the commercial services now own the data related to the customer’s DNA, and can use it however they please?

On the other hand, after over 20 years in law enforcement, I recognize the need to be able to identify and arrest criminals, especially in violent cases, because without this technology they might escape responsibility for their crimes.

An article entitled “A Great Time to Be a Cold Case Detective — If We Can Use The Tools,” by Cloyd Steiger, Chief Criminal Investigator of the Washington State Attorney General Homicide Investigation Tracking System, expresses it well:

“I suggest lawmakers and lab administrators who are reluctant to use these techniques sit in a room and look into the dead eyes of a mother who lost a child to murder years ago. Explain to her that using this technology is a bad idea.”

There’s no argument about the value of this new source of evidence gathering. But we all need to work together to make sure that the legal and privacy issues are addressed, and that the chances for unintended consequences, misunderstandings, and abuse are resolved.

What do you think?

Protecting yourself when using public Wi-Fi is important. I talked about this in a previous blog, but I felt that it is such an important topic that I’m giving you more information. Thanks to my friends at TurnOnVPN, who wrote this guest post. After reading this post, I would also encourage you to visit their website for even more information…

Now for their post——————

Corporate professionals who are frequent travelers must be well-acquainted with free public Wi-Fi at airports and stations, but many might not be aware of the cybersecurity risks of free Wi-Fi on both the individual and the company’s confidential communication.

Cybersecurity risks you’ve repeatedly overlooked

Before connecting to most public Wi-Fi networks, you are usually required to agree to some terms and conditions. That is the only hurdle to overcome before connecting, so most people tend to ignore them out of eagerness to get online.

But if you take the time to glance through a couple of sentences, you will understand why your data might not be secure once you’re logged in. In fact, the owners themselves know that their connections may be wildly unsafe and try to warn you so that they are not held responsible for whatever happens after.

You don’t have to take my word for it. We can pick a few examples of businesses offering free Wi-Fi to the public and see what their policies are.
Starting with Suddenlink, they state of their Wi-Fi zones in the US that “You acknowledge that the [Wi-Fi] service is inherently not secure and that wireless communications can be intercepted by equipment and software designed for that purpose.”

If that is not explicit enough, consider what Tim Hortons – a revered coffee chain from Canada – has to say. I It’s stated in their privacy policy highlights that they collect user data through available sources such as their in-restaurant Wi-Fi, and data includes your IP address, your interaction with content through their internet service, your location information and more.

Matters are not even helped when we move on to the likes of Arqiva. You should note that this is a company dedicated to fitting the lounges of airports with a Wi-Fi network and would be expected to have the best tech in the game. Surprisingly, they admit “the transmission of information via the internet and via the service is not secure.”

I can go on and on, but I believe you get the idea. Even if every other data I provide might not convince you, hearing it from the providers should set some bells ringing.

Network operators want to strip you bare

As if all of the above were no reason for worry, another threat comes in the form of the network operators. Apparently, you could still be susceptible to internet privacy breaches even if the network were tightened against external attacks.

Again, the companies who give their customers free Wi-Fi don’t hide this. It is yet another common feature in their terms and agreements.

The Puerto Rico District Court says of its own Wi-Fi network that “all communications over the [Wi-Fi] service may be subject to monitoring and should not be considered either private or protected.” Coming from a court of law, isn’t that rather ironic?

Little wonder then that other firms can do the same. After all, Virgin Media holds the right “to monitor and control data volume,” while the guys over at the Oscars can also “monitor and collect information while you are connected to the [Wi-Fi] service.”

Possible attacks on public Wi-Fi

If you have not already started picking up on it, the biggest problem with using free public Wi-Fi connections is in the way of data leak. How does this happen?

• Man in the middle attacks
  • Experienced hackers can place themselves between two sides of a conversation. This allows them to intercept the messages being sent and received. They will also be able to hijack the conversation at any point, pose as either side, and extract sensitive information from either of the sides.

• Rogue networks
  • Hackers may also set up rogue networks that will look legit and offer free connection to interested users. Once those users connect, they will be at the mercy of the hacker who will now be able to access all of their activity.
  • This grants the hacker access to bank logins, forum passwords, sensitive data, emails, and so much more.
• Malware attacks
  • Due to a lack of encryption on public Wi-Fi networks, hackers can freely upload malware to the server.
  • Everyone who connects to such a network faces the risk of downloading the malware to their computer units. This holds so much more significance since the hacker would still be able to maintain remote access to the computer – through the malware – even after the user disconnects from the network.

How you can protect yourself better

There isn’t supposed to be any harm in just being able to enjoy your free Wi-Fi connection in peace. With a number of unscrupulous individuals hunting your sensitive data though, that is not the case.

The ideal thing to do would be to stick to your own data plans and do away with the free Wi-Fi in the first place. If that is not an option, downloading a quality VPN on your iPhone is highly recommended.

A VPN will allow you to connect like always. The difference is just that you would be using a different server to send hackers on the wrong trail. That is not to mention being able to better mask data you send over the otherwise insecure network, since the transmitted data between your device and the VPN server is encrypted.

In addition to that, you also get to access content that might have been blocked on the Wi-Fi network.

With such procedures in place, you can keep enjoying your coffee shop freebie without having to worry about losing your bank login details – or some other important data – to some snooper.

Thanks again to TurnOnVPN for the great information, and if you use public Wi-Fi, be aware of and minimize the risks before you connect!

We live in an exciting time, where new technologies are providing us with fascinating capabilities that have never been possible.

We’ve previously talked about how some of these technologies can be used by criminals to help commit crimes or to make it more difficult for us to find them. If you haven’t read these previous posts, we’ve discussed the darknets, the Internet of Things, the risk from unsecured Wi-Fi, and cosmos computing.

I also talked about the need for a new vision in the world of investigations. It seems that the models we’re using aren’t making progress fast enough. Instead of gradual, incremental change, we need to evolve into the professions that will be needed for the future.

But today, instead of talking about how technology is making it easier for the techno-criminals, I want to talk about how we might leverage technologies that could potentially revolutionize investigations and our legal systems.

Two of these technologies are augmented reality and virtual reality.

Augmented reality will basically add layers of information on top of the real world that we see (I recommend starting this YouTube video at about the 27-minute mark, and you can watch as long as you’re interested). This may be in the form of some type of headset or specially-designed glasses that will work like a “heads up display.” It might be using the camera of your mobile device with artificial intelligence to provide more details about what you see. So this technology will augment, or add to, our perception of the world.

Virtual reality can also amplify the real world, but it can go even deeper to provide more immersive experiences. Companies are already designing virtual worlds where you can live, work, and play. In these worlds you can be anything or anyone you want to be.

You may think that virtual reality will only be like enhanced video games, but let me assure you that it will be much more sophisticated than that. Many of the virtual worlds will create entirely new environments that will be limited only by your imagination.

Who wouldn’t want to visit or live in a virtual world that could provide an experience that isn’t possible in the real world? In these worlds, if you could feel beautiful/handsome, stronger, more intelligent, or have super powers, would you at least be curious to give it a try?

The positive psychological and emotional feedback that these experiences can provide is why these worlds have the potential to be very attractive and massively addictive.

I’ve read many articles that use the term “metaverse” for these various new layers of reality that will soon be available to everyone.

With this technology you’ll be able to choose how many layers you use, and the deeper you want to go, the more immersive the experience can be. Some experts are afraid that these virtual worlds will be so addictive that some people may prefer to stay in those worlds and not function at all in our physical real world.

It’s interesting to think about the possibilities of having multiple personas in different virtual worlds, and how that could change our lives, but that’s not the focus of this post.

I want to think about how these technologies could be used to help us with some of the challenges that we’re facing with the future of investigations.

We’re already falling farther and farther behind the techno-criminals. We have limitations they don’t have, and we have to play by rules they aren’t bound by.

This situation can get much worse if we don’t start thinking about new and innovative ways to take advantage of technologies to give us faster progress.

There are predictions that by 2021 there will be 3.5 million openings for cyber security professionals that we won’t be able to fill.

Most law enforcement professionals will certainly agree that today we can’t hire enough digital forensics professionals. Most agencies with any type of digital forensics capability are overwhelmed with the demand for those services, and are either severely backlogged or are limited to providing digital forensics analysis for only high-priority cases.

This doesn’t include the significant demand for digital forensics experts in the private sector as well. Will the public sector be able to recruit and maintain the digital forensics professionals needed, while competing with the higher salaries and benefits that the private sector can offer?

In addition to these problems, as technology becomes more sophisticated, professionals in both security and digital forensics will be forced to specialize. It will critical to make sure they have the training, experience and the tools for their areas of technical specialization.

That could mean that for many cases involving technology and electronic evidence, you’ll need to assemble a team of these expert specialists to conduct your investigations.

If this assumption is valid, the person, agency, or company with the responsibility of conducting an investigation will need to know who these specialists are, how to contact them to determine if their expertise is what is needed for the case, and then find out whether they’re available to help.

I’ve called this the “Hollywood model of investigations” because it is similar to the process used to create a feature film. The producers choose a director, and then work together to identify the various specialists they want to work on the film, to include casting, video, special effects, costumes, set design, editing, and more. These specialists come together to work on the project, and when the film is completed they move onto the next job.

This may very well be the type of model that we’ll need for future investigations involving technology, because we can’t expect any single company or agency to have this wide range of specialized technical investigations expertise on staff.

So what possible solutions can we develop to help solve some of these challenges?

Could we use augmented reality or virtual reality to overcome some of the limitations we face?

Both of these technologies plus artificial intelligence could be used to develop training programs for digital forensics practitioners, demonstrating how to collect and preserve digital information from multiple devices. Step-by-step guidance through an established investigative strategy using best practices could also make sure that nothing is missed or completed out of order.

From a training perspective, being able to put investigators through simulated situations that appear to be more real will help them to learn and remember the information compared to traditional classroom teaching methods.

As more and more of our applications and data migrate to the cloud, will the physical presence of an investigator be required at a crime scene more…or less?

Consider the possibility of using virtual reality to give a tour of a crime scene by the best expert in the world investigating a specific type of crime. Could this be a more efficient use of their expertise, or would we lose the “sixth sense” perception from them being physically present?

We’ve already talked about how we will need more specialized technical investigators. Can these technologies allow investigative specialists from other countries to help from anywhere they happen to be, without the need for travel time and costs?

What about data collection and preservation from a cloud environment? Could augmented/virtual reality technology help to minimize the time and costs of this data acquisition?

Using augmented or virtual technologies will make authenticating the integrity of digital evidence even more critical, since there may be cases where a person from the investigative team never actually touches a device containing digital evidence.

This scenario could also create a need for universal expert specialist investigative certifications that would be recognized and accepted all over the world.

Could we also see a transformation to digital courts, where most or even all the participants are present virtually, but not physically?

There are already organizations virtually transporting jurors to crime scenes.

Think about the possibility of virtual courts. Could virtual reality testimony be more efficient? Or once again, do we lose a critical dynamic in a court setting when all of the participants are physically present?

Could this environment overcome the limitations of geographically based legal jurisdictions?

Technology continues to evolve.

The techno-criminals are already taking advantage of advancing technology. Why can’t we?

We should start thinking about how we can evolve…before we are left behind.

Introduction

Are you tired of hearing about yet another significant data breach? As I was reading about the most recent breach of Marriott and how the attackers were probably inside the Marriott system for four years (or longer), I got mad.

You should be mad too.

There’s no reason we should accept a lack of security from organizations (both corporate and government) that have collected our personal information. Many of these breaches were due to either pure negligence or management deciding to not spend the money to upgrade their network security to an acceptable level.

It’s frustrating that we’re still talking about many of the same problems with computer security that have existed for decades, even as the volume of data has exploded.

These attitudes about digital security are no longer acceptable.

It’s time for us to hold these people and organizations accountable. When I say “accountable,” I mean both criminally and civilly.

Instead of the United States continuing to be almost the only developed country without federal protection for personal data, we need to pass new legislation requiring this protection. The law should make the penalties and punishments severe enough to make organizations think seriously about their efforts and the resources to provide for security.

The problem won’t go away unless the probable consequences of failure to protect this data are real and substantial.

Senior executives and boards of directors who were aware of security problems (or should have been) and took no action to protect our data should face the risk of criminal prosecution as well as individual civil liability.

Situations like this have historically been considered to be “white collar” crime and have not been a high priority in our legal system.

This needs to change.

There’s too much fraud and other crimes involving digital technologies.

Yet there still doesn’t seem to be much interest in protecting people’s financial and personal information.

Too many organizations still consider the risk of a data breach as a “cost of doing business.”

After the Marriott breach was made public, several people have suggested that these breaches will not go away unless someone is prosecuted criminally and goes to prison.

https://gizmodo.com/only-jail-time-and-stiff-fines-will-stop-this-say-sena-1830779327

http://www.govtech.com/security/Senators-Call-for-Stricter-Data-Protections-Post-Marriott-Hack.html

I agree.

It’s time to change the mindset and to force responsibility and accountability. If we don’t change the approach to security as technology continues to grow exponentially, we’ll see more techno-crimes of all types.

Let’s send a message that we won’t accept this attitude anymore.

In the meantime, what can you do?

The first thing I would recommend is to freeze your credit reports.

I understand that this is not convenient for every person, but think about the convenience compared to the risks of your personal information, financial data, and medical records being stolen in a data breach.

You’ll need to make that decision depending on your individual circumstances, but that’s what I strongly recommend.

For more detailed information about freezing your credit report:

Equifax
Experian
TransUnion
Innovis

Another aspect of this problem is to check to see if the children in your family have a credit history. For a child under 16, in most cases there is no reason for a credit record to exist. But if a child’s identity has been stolen, the theft might not be discovered for many years. That could make the problem much harder to clean up years later when it comes to light. It can be a bit more difficult to check a child’s credit history, but it can certainly be done.

For more information:

Credicards.com

Consumer Financial Protection Bureau

Final thoughts:

We need more security and digital investigations professionals.

Did you know that some projections say that by 2021 there will be over 3 million cyber security positions that we won’t be able to fill?

3.5 million!

This number doesn’t even include digital forensics investigators who will also be needed to investigate the exploding number of techno-crimes.

We’ll need more of these experts to provide better security for our data, and to investigate crimes that will still occur.

Finally, there are too many organizations — both public and government based– that are collecting an ever-increasing amount of data about every person.

It’s time to hold them all accountable, and to demand that they take action to secure our data…or pay the consequences.

The days of ignoring security and facilitating the theft of our data need to end.

Perhaps the only solution will be when those responsible have an individual or corporate price to pay for their negligence or lack of responsibility.

Enough is enough.